Dashboards & Visualizations

Having trouble with the If else condition for dashboard using stats

ranjithan
Path Finder

Hi Team,

Below is my query:

index=os sourcetype=linux_mpio Firmware_Version="----------------------- DISK INFORMATION --------------------------*" host IN (r3ddclxp00003*) | dedup host
| rex max_match=0 "(?ms)^DISK\=\"(?<DISK>[^\"]+)\"\s+NAME\=\"(?<NAME>[^\"]+)\"\s+HCTL\=\"(?<HCTL>[^\"]+)\"\s+TYPE\=\"(?<TYPE>[^\"]+)\"\s+VENDOR\=\"(?<VENDOR>[^\"]+)\"\s+SIZE\=\"(?<SIZE>[^\"]+)\"\s+SCSIHOST\=\"(?<SCSIHOST>[^\"]+)\"\s+CHANNEL\=\"(?<CHANNEL>[^\"]+)\"\s+ID\=\"(?<ID>[^\"]+)\"\s+LUN\=\"(?<LUN>[^\"]+)\"\s+BOOTDISK\=\"(?<BOOTDISK>[^\"]+)\""
| stats values(_time) AS TIME, values(NAME) as "DISK NAME" , list(SIZE) AS SIZE, list(VENDOR) AS VENDOR, list(LUN) AS LUN, list(BOOTDISK) as BOOTDISK by host | appendcols [search index=os sourcetype=linux_mpio host IN (r3ddclxp00003*) Firmware_Version="------------------------- MULTIPATH STATUS ----------------------------*"  | dedup host |rex max_match=0 "^(?<lines>.+)\n+" | eval first_line=mvindex(lines,2,15) | rex field=first_line "^(?<name>\w+)\s+(?<uuid>[^ ]+)" | stats list(name) AS "MPATH" , LIST(uuid) AS UUID BY host ] | table host, "DISK NAME" ,VENDOR SIZE, LUN, UUID , MPATH| rename host as Host, SIZE AS Size, "DISK NAME" AS "Disk Name", VENDOR AS Vendor, LUN AS "LUN ID"

and below is my output:

ranjithan_1-1647691193825.png

 

Would it be possible to add a line break for UUID and MPATH?

For example: can we use an if else condition where in IF VENDOR(1) =LSI then add a line break for UUID so that the appropriate values will be mapped...

Thanks for the help,

Ranjitha N

 

Labels (1)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear to me what it is that you are trying to do here. Where do you want a line break? What are you trying to "map"?

Can you share some same events of both types and a mockup of what your expected output might look like?

ranjithan
Path Finder

Please find the screenshots of sample events:

 

ranjithan_0-1647710962123.png

 

For query 2:

 

------------------------- MULTIPATH STATUS -----------------------------

name uuid sysfs size dm-st paths failures action path_faults vend prod rev mpatha 3624a9370b405ec36b383443d000113e6 dm-1 100G active 8 0 create 0 PURE FlashArray 8888 mpathb 3624a9370b405ec36b383443d000113e7 dm-2 300G active 8 0 create 0 PURE FlashArray 8888 mpathc 3624a9370b405ec36b383443d000113e8 dm-3 2.0T active 8 0 create 0 PURE FlashArray 8888 mpathd 3624a9370b405ec36b383443d000113e9 dm-4 1.0T active 8 0 create 0 PURE FlashArray 8888 mpathe 3624a9370b405ec36b383443d000113ea dm-5 500G active 8 0 create 0 PURE FlashArray 8888

 

 

I need to map the appropriate UUID's to the appropriate LUN ID's. For instance UUID values should be mapped to LUN ID's ranging 1-5 . 

 

Thank You,

Ranjitha N

 

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, are you saying that LUN equates to x in dm-x?

ranjithan
Path Finder

Yes, and it also maps to the "Vendor" and "Disk Name" fields in the other query.

 

Please help me.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share the events in code blocks </> as it makes them a lot easier to deal with than screenshots?

ranjithan
Path Finder

@ITWhisperer wrote:

Can you share the events in code blocks </> as it makes them a lot easier to deal with than screenshots?


----------------------- DISK INFORMATION ----------------------------

DISK="/dev/sda" NAME="sda" HCTL="0:2:0:0" TYPE="disk" VENDOR="LSI " SIZE="222.6G" SCSIHOST="0" CHANNEL="2" ID="0" LUN="0" BOOTDISK="TRUE"

DISK="/dev/sdm" NAME="sdm" HCTL="1:0:0:1" TYPE="disk" VENDOR="PURE " SIZE="100G" SCSIHOST="1" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE"

DISK="/dev/sdp" NAME="sdp" HCTL="1:0:0:2" TYPE="disk" VENDOR="PURE " SIZE="300G" SCSIHOST="1" CHANNEL="0" ID="0" LUN="2" BOOTDISK="FALSE"

DISK="/dev/sds" NAME="sds" HCTL="1:0:0:3" TYPE="disk" VENDOR="PURE " SIZE="2T" SCSIHOST="1" CHANNEL="0" ID="0" LUN="3" BOOTDISK="FALSE"

DISK="/dev/sdx" NAME="sdx" HCTL="1:0:0:4" TYPE="disk" VENDOR="PURE " SIZE="1T" SCSIHOST="1" CHANNEL="0" ID="0" LUN="4" BOOTDISK="FALSE"

DISK="/dev/sdaa" NAME="sdaa" HCTL="1:0:0:5" TYPE="disk" VENDOR="PURE " SIZE="500G" SCSIHOST="1" CHANNEL="0" ID="0" LUN="5" BOOTDISK="FALSE"

DISK="/dev/sdae" NAME="sdae" HCTL="1:0:1:1" TYPE="disk" VENDOR="PURE " SIZE="100G" SCSIHOST="1" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE"

DISK="/dev/sdah" NAME="sdah" HCTL="1:0:1:2" TYPE="disk" VENDOR="PURE " SIZE="300G" SCSIHOST="1" CHANNEL="0" ID="1" LUN="2" BOOTDISK="FALSE"

DISK="/dev/sdaj" NAME="sdaj" HCTL="1:0:1:3" TYPE="disk" VENDOR="PURE " SIZE="2T" SCSIHOST="1" CHANNEL="0" ID="1" LUN="3" BOOTDISK="FALSE"

DISK="/dev/sdal" NAME="sdal" HCTL="1:0:1:4" TYPE="disk" VENDOR="PURE " SIZE="1T" SCSIHOST="1" CHANNEL="0" ID="1" LUN="4" BOOTDISK="FALSE"

DISK="/dev/sdan" NAME="sdan" HCTL="1:0:1:5" TYPE="disk" VENDOR="PURE " SIZE="500G" SCSIHOST="1" CHANNEL="0" ID="1" LUN="5" BOOTDISK="FALSE"

DISK="/dev/sdl" NAME="sdl" HCTL="2:0:0:1" TYPE="disk" VENDOR="PURE " SIZE="100G" SCSIHOST="2" CHANNEL="0" ID="0" LUN="1" BOOTDISK="FALSE"

DISK="/dev/sdo" NAME="sdo" HCTL="2:0:0:2" TYPE="disk" VENDOR="PURE " SIZE="300G" SCSIHOST="2" CHANNEL="0" ID="0" LUN="2" BOOTDISK="FALSE"

DISK="/dev/sdt" NAME="sdt" HCTL="2:0:0:3" TYPE="disk" VENDOR="PURE " SIZE="2T" SCSIHOST="2" CHANNEL="0" ID="0" LUN="3" BOOTDISK="FALSE"

DISK="/dev/sdw" NAME="sdw" HCTL="2:0:0:4" TYPE="disk" VENDOR="PURE " SIZE="1T" SCSIHOST="2" CHANNEL="0" ID="0" LUN="4" BOOTDISK="FALSE"

DISK="/dev/sdz" NAME="sdz" HCTL="2:0:0:5" TYPE="disk" VENDOR="PURE " SIZE="500G" SCSIHOST="2" CHANNEL="0" ID="0" LUN="5" BOOTDISK="FALSE"

DISK="/dev/sdad" NAME="sdad" HCTL="2:0:1:1" TYPE="disk" VENDOR="PURE " SIZE="100G" SCSIHOST="2" CHANNEL="0" ID="1" LUN="1" BOOTDISK="FALSE"

 

 

 

 

 

second log:

 

------------------------- MULTIPATH STATUS -----------------------------

name uuid sysfs size dm-st paths failures action path_faults vend prod rev mpatha 3624a9370b405ec36b383443d000113e6 dm-1 100G active 8 0 create 0 PURE FlashArray 8888 mpathb 3624a9370b405ec36b383443d000113e7 dm-2 300G active 8 0 create 0 PURE FlashArray 8888 mpathc 3624a9370b405ec36b383443d000113e8 dm-3 2.0T active 8 0 create 0 PURE FlashArray 8888 mpathd 3624a9370b405ec36b383443d000113e9 dm-4 1.0T active 8 0 create 0 PURE FlashArray 8888 mpathe 3624a9370b405ec36b383443d000113ea dm-5 500G active 8 0 create 0 PURE FlashArray 8888

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work (I have assumed that multipath information should be spread across lines - if not, you would need to modify the extraction part accordingly)

| makeresults
| eval _raw="----------------------- DISK INFORMATION ----------------------------
DISK=\"/dev/sda\" NAME=\"sda\" HCTL=\"0:2:0:0\" TYPE=\"disk\" VENDOR=\"LSI \" SIZE=\"222.6G\" SCSIHOST=\"0\" CHANNEL=\"2\" ID=\"0\" LUN=\"0\" BOOTDISK=\"TRUE\"
DISK=\"/dev/sdm\" NAME=\"sdm\" HCTL=\"1:0:0:1\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"100G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"0\" LUN=\"1\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdp\" NAME=\"sdp\" HCTL=\"1:0:0:2\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"300G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"0\" LUN=\"2\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sds\" NAME=\"sds\" HCTL=\"1:0:0:3\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"2T\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"0\" LUN=\"3\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdx\" NAME=\"sdx\" HCTL=\"1:0:0:4\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"1T\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"0\" LUN=\"4\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdaa\" NAME=\"sdaa\" HCTL=\"1:0:0:5\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"500G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"0\" LUN=\"5\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdae\" NAME=\"sdae\" HCTL=\"1:0:1:1\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"100G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"1\" LUN=\"1\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdah\" NAME=\"sdah\" HCTL=\"1:0:1:2\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"300G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"1\" LUN=\"2\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdaj\" NAME=\"sdaj\" HCTL=\"1:0:1:3\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"2T\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"1\" LUN=\"3\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdal\" NAME=\"sdal\" HCTL=\"1:0:1:4\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"1T\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"1\" LUN=\"4\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdan\" NAME=\"sdan\" HCTL=\"1:0:1:5\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"500G\" SCSIHOST=\"1\" CHANNEL=\"0\" ID=\"1\" LUN=\"5\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdl\" NAME=\"sdl\" HCTL=\"2:0:0:1\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"100G\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"0\" LUN=\"1\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdo\" NAME=\"sdo\" HCTL=\"2:0:0:2\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"300G\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"0\" LUN=\"2\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdt\" NAME=\"sdt\" HCTL=\"2:0:0:3\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"2T\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"0\" LUN=\"3\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdw\" NAME=\"sdw\" HCTL=\"2:0:0:4\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"1T\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"0\" LUN=\"4\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdz\" NAME=\"sdz\" HCTL=\"2:0:0:5\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"500G\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"0\" LUN=\"5\" BOOTDISK=\"FALSE\"
DISK=\"/dev/sdad\" NAME=\"sdad\" HCTL=\"2:0:1:1\" TYPE=\"disk\" VENDOR=\"PURE \" SIZE=\"100G\" SCSIHOST=\"2\" CHANNEL=\"0\" ID=\"1\" LUN=\"1\" BOOTDISK=\"FALSE\""
``` sets up example disk information ```
``` split into separate lines ```
| rex max_match=0 "^(?<lines>.+)\n?" 
``` drop first line ```
| eval first_line=mvindex(lines,1,-1) 
``` expand to separate events ```
| mvexpand first_line
``` copy to _raw so extract works ```
| eval _raw=first_line
``` extract fields (default delimiters are fine for your data) ```
| extract
``` drop unwanted fields ```
| fields - lines first_line _raw
``` join with multipath data by LUN ```
| join type=outer LUN
    [| makeresults
    | eval _raw="------------------------- MULTIPATH STATUS -----------------------------

name uuid sysfs size dm-st paths failures action path_faults vend prod rev
mpatha 3624a9370b405ec36b383443d000113e6 dm-1 100G active 8 0 create 0 PURE FlashArray 8888
mpathb 3624a9370b405ec36b383443d000113e7 dm-2 300G active 8 0 create 0 PURE FlashArray 8888
mpathc 3624a9370b405ec36b383443d000113e8 dm-3 2.0T active 8 0 create 0 PURE FlashArray 8888
mpathd 3624a9370b405ec36b383443d000113e9 dm-4 1.0T active 8 0 create 0 PURE FlashArray 8888
mpathe 3624a9370b405ec36b383443d000113ea dm-5 500G active 8 0 create 0 PURE FlashArray 8888"
    ``` sets up example multipath information ```
    ``` split into separate lines ```
    | rex max_match=0 "^(?<lines>.+)\n*"
    ``` drop first 2 lines ```
    | eval first_line=mvindex(lines,2,-1) 
    ``` expand to separate events ```
    | mvexpand first_line
    ``` extract fields (assuming LUN is numeric part of sysfs) ```
    | rex field=first_line "^(?<MPATH>\w+)\s+(?<UUID>[^ ]+)\s+\w+\-(?<LUN>\d+)" 
    ``` keep required fields ```
    | table MPATH UUID LUN ]

ranjithan
Path Finder

Thank You for the detailed inputs. Let my give this a try and update you.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...